AWS Bedrock Guardrails
Secure your AI applications with AWS Bedrock’s guardrail capabilities through Portkey.
AWS Bedrock Guardrails provides a comprehensive solution for securing your LLM applications, including content filtering, PII detection and redaction, and more.
To get started with AWS Bedrock Guardrails, visit their documentation:
Get Started with AWS Bedrock Guardrails
Using AWS Bedrock Guardrails with Portkey
1. Create a guardrail on AWS Bedrock
- Navigate to
AWS Bedrock
->Guardrails
->Create guardrail
- Configure the guardrail according to your requirements
- For
PII redaction
, we recommend setting the Guardrail behavior as BLOCK for the required entity types. This is necessary because Bedrock does not apply PII checks on input (request message) if the behavior is set to MASK - Once the guardrail is created, note the ID and version displayed on the console - you’ll need these to enable the guardrail in Portkey
2. Enable Bedrock Plugin on Portkey
- Navigate to the
Integration
page underSidebar
- Click on the edit button for the Bedrock integration
- Add your Bedrock
Region
,AwsAuthType
,Role ARN
&External ID
credentials (refer to Bedrock’s documentation for how to obtain these credentials)
3. Create a Guardrail on Portkey
- Navigate to the
Guardrails
page and click theCreate
button - Search for
Apply bedrock guardrail
and clickAdd
- Enter the Guardrials ID and version of the guardrail you created in step 1
- Enable or disable the
Redact PII
toggle as needed - Set any actions you want on your guardrail check, and click
Create
Guardrail Actions allow you to orchestrate your guardrails logic. You can learn them here
4. Add Guardrail ID to a Config and Make Your Request
- When you save a Guardrail, you’ll get an associated Guardrail ID - add this ID to the
before_request_hooks
orafter_request_hooks
params in your Portkey Config - Create these Configs in Portkey UI, save them, and get an associated Config ID to attach to your requests. More here.
Here’s an example configuration:
For more, refer to the Config documentation.
Using AWS Bedrock Guardrails - Scenarios
After setting up your guardrails, there are different ways to use them depending on your security requirements:
Only Detect PII, Harmful Content, etc.
To simply detect but not redact content:
- Keep the
Redact PII
flag disabled when creating the guardrail on Portkey - If any filters are triggered, the response status code will be 246 (instead of 200)
- The response will include a
hook_results
object with details for all checks
Redact PII and Detect Other Filters
To automatically redact PII while still checking for other issues:
- Enable the
Redact PII
flag when creating the guardrail on Portkey - If PII is detected, it will be automatically redacted and the status code will be 200
- If other issues (like harmful content) are detected, the response code will be 246
- The response will include a
hook_results
object with all check details - If PII was redacted, the results will have a flag named
transformed
set totrue
Deny Requests with Policy Violations
To completely block requests that violate your policies:
- Enable the
Deny
option in the guardrails action tab - If any filters are detected, the request will fail with response status code 446
- However, if only PII is detected and redaction is enabled, the request will still be processed (since the issue was automatically resolved)
Using Raw Guardrails with AWS Bedrock
You can define AWS Bedrock guardrails directly in your code for more programmatic control without using the Portkey UI. This “raw guardrails” approach lets you dynamically configure guardrails based on your application’s needs.
We recommend creating guardrails using the Portkey UI whenever possible. Raw guardrails are more complex and require you to manage credentials and configurations directly in your code.
Get Support
If you face any issues with the AWS Bedrock Guardrails integration, just ping us on the community forum.
Was this page helpful?